Technical Support Plan

Environments

We provide multiple deployment options for our products, giving our customers the flexibility to make use of all the product features by choosing the best model that suits your organization's business needs.

Overview

Carbanak is a highly active cyber-criminal threat group, that is known for primarily targeting financial organizations like banks. The group is said to have stolen over 1 billion US dollars from over 100 banks and their private customers across the globe. It was first discovered in 2014 by the Russian/UK Cyber Crime security firm Kaspersky Lab. It is also known for using a backdoor malware with the same name "Carbanak." Some of its espionage activities indicate overlap with another adversary group dubbed FIN7, but experts believe that these are two different groups using the same Carbanak malware and are therefore tracked separately.

Which organizations have they targeted?

The first known samples of Carbanak group's malware were compiled in August 2013 when they started to test the Carbanak malware. The group was able to successfully steal from their first victims during the period of February-April 2014. On an average, each bank robbery took around two to four months, starting from infecting the first computer system at the bank's corporate network to cashing the money out. The peak of their infections was recorded in June 2014. Most of the financial entities targeted by the group were located in Eastern Europe; however, Carbanak also targeted victims in the USA, China, and Germany. One bank lost $7.3 million when its ATMs were programmed to spew cash at certain times that henchmen would then collect, while a separate firm had $10 million taken via its online platform. The group was also seen extending its operations to new areas, including Malaysia, Kuwait, Nepal, and several regions in Africa, among others. Most recently in early-2019, a fileless malware "ATMitch" associated with Carbanak APT was spotted in the wild.

What is their motivation behind the attacks?

The group has a long track record of compromising the infrastructure of financial institutions. Its motive is often manipulation of financial assets, such as transferring funds from bank accounts or taking over ATM infrastructures and commanding them to dispense cash at predetermined time intervals. The cyber-criminals also penetrated the ATM networks to reach to the key people within the organization, to gain information about the ATM systems, as well as the high profile customers of the targeted banks.

Modus Operandi

The group’s primary technique is to quietly infiltrate into the infrastructure by setting a foothold in an employee’s system, and then moving laterally inside the infrastructure or elevate privileges to search critical systems having desired information. To begin the attack, spear phishing emails are sent to the targeted institutions, which either end up with victims downloading a malicious document (and eventually the Cobalt Strike beacon) or various unpatched Remote Code Execution Vulnerabilities being exploited (Microsoft Word: CVE-2017-8570, CVE-2017-11882, and CVE-2018-0802) to deploy the Carbanak backdoor. When the user opens the attached document, scripts implanted within the files are executed in the background. The attacks use reconnaissance tools to assess the state of the victim’s workstation and ascertain what tools should be downloaded next. It can even open decoy documents to avoid drawing victims’ suspicion.

In some cases, the group targeted Automated Teller Machines (ATMs) using ATMitch (fileless malware), in which the machines were instructed to dispense cash without locally interacting with the terminal. After this is done, the money-mules would collect the money and transfer it over the SWIFT network to the criminals’ accounts. The group also went so far as to alter databases, pumping up balances on already existing accounts, and pocketing the difference unbeknownst to the user whose original balance is still intact.

Known tools and malware

Known zero-day vulnerabilities used by Carbanak APT

CVE-2014-1761 (Improper Restriction of Operations within the Bounds of a Memory Buffer) - It allows remote attackers to execute arbitrary code and denial of service (memory corruption) via crafted RTF data.

Netsh - A scripting utility, which is used to interact with networking components on local or remote systems.

PsExec - A command-line tool that can execute processes on remote systems, often used by IT administrators as well as attackers.

Attribution

On March 26, 2018, European Union Agency for Law Enforcement Cooperation (Europol) claimed to have arrested the "mastermind" behind Carbanak group and associated Cobalt or Cobalt Strike group in Alicante, Spain. The investigation was carried over by the Spanish National Police with the cooperation of law enforcement in various countries as well as private cybersecurity organizations. The arrested individual was identified as Denis K., a Ukrainian who had led the organized crime group Carbanak for several malicious acts. Between Jan and June 2018, three Ukrainians, Fedir Hladyr, Dmytro Fedorov, and Andrii Kolpakov, were arrested in Europe. They were accused of targeting more than 100 US companies, including Emerald Queen Hotel and Casino (Washington), Chipotle Mexican Grill, Jason’s Deli, Sonic Drive-in, Red Robin Gourmet Burgers, and Taco John’s.

Prevention

Carbanak APT’s phishing emails can bypass anti-spam solutions deployed at the mail server level. So to prevent against such advanced threats, traditional anti-malware solutions may not be sufficient and it is recommended to implement an in-depth security model that assures URL filtering, behavior-based detection methods and sandboxing. To detect and prevent the sophisticated tactics of lateral movement of Carbanak APT, an enterprise-level solution is must that looks at both endpoint behavior and network traffic to detect any signs of lateral movements inside networks, and flag them for review by a security analyst. And at the same time, they should also consider sharing of actionable intelligence about the threats, like important hashes (SHA1, MD5, etc.), malicious IP addresses, domains, URLs to ensure timely identification and proactive remediation. Use Mitre’s ATT&CK Navigator to find correlations between the various Indicators of Compromise (IOC), TTPs, and Threat actors across various phases of the Incident Response Lifecycle, and pro-actively detect any signs of compromise, intrusion, or data exfiltration.

To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.